Traffic Encryption in SMB 3.0

In the version of the Server Message Block (SMB) 3.0 protocol introduced in Windows Server 2012 / Windows 8, it became possible to encrypt data transferred over the network between the SMB file server and the clients. Data are encrypted transparently from the client’s point of view and doesn’t require any significant organization or resources, unlike the implementation of VPN, IPSec or PKI infrastructure. In the latest version of SMB 3.1.1 (used in Windows 10 and Windows Server 2016), AES 128 GCM type of encryption is used, and the performance of the algorithm is significantly increased. In addition, automatic data signing and verification are performed.

Let’s consider the aspects of the implementation of SMB encryption in Windows Server 2012. First of all, you have to understand that if a client and a server support different SMB versions, when connection is established between a client and a server the highest SMB version supported both by the client and the server is selected. It means that all clients running earlier Windows versions than Windows 8 / Server 2012 won’t be able to interact with the network folder that has SMB encryption enabled.

On the file server, you can get the version of the SMB protocol used by clients (the version of the protocol used is shown in the Dialect column):

Get-SmbConnection

By default, the encryption of SMB traffic is disabled on Windows Server 2012 file server. You can enable the encryption individually for each SMB share or all SMB connections.

If you have to enable encryption for the specific directory, open Server Manager console on your server and go to File and Storage Services –> Shares. Select the desired shared folder and open its properties. Then go to the Settings tab and enable Encrypt Data Access. Save the changes.

You can also enable SMB encryption from PowerShell console. Enable the encryption for one share:

Set-SmbShare –Name Install -EncryptData $true

Or for all SMB connections to the server (to shared folders or administrative resources):

Set-SmbServerConfiguration –EncryptData $true

After SMB encryption for a network share is enabled, all legacy clients (earlier than Windows 8) will not be able to connect to this share, since they do not support SMB 3.0. To allow these Windows clients to access the share (as a rule, it is a temporary access, otherwise there is no sense to enable the encryption), you can allow to connect to the server without encryption:

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

Tip. After this mode is enabled, a connecting client can switch to the out-of-date version SMB 1.0, which is not secure (in Windows Server 2012 R2, SMB 1.0 is already disabled by default.) In this case, in order to partially secure you server, it is better to disable SMB 1.0 support:Set-SmbServerConfiguration –EnableSMB1Protocol $false